Exploiting Top 10 API Vulnerabilities with Vulnerable API

Author: Mbachan Fabrice Tanwan Author's Avatar

Affiliation: Innopolis University Author's Avatar

Introduction

The OWASP API Security Top 10 outlines the most significant API security risks that developers and organizations need to be mindful of. This guide offers a walkthrough for exploiting these vulnerabilities using Vulnerable-API, a self-hosted Python application crafted to simulate OWASP API Top 10 scenarios through hands-on exercises.

Vulnerable-API, which can be found on GitHub at https://github.com/SNE-M23-SN/Vulnerable-API, its simple to set up by following the instructions provided in the README.md file. The guide includes steps on how to setup and exploit some of the vulnerabilities .
Note for the first part only 5 exploitation will be carried out.

Tools and Setup

To obtain a thorough grasp of the vulnerabilities you’re working with and properly exploit them, you’ll need a set of specific tools. Here’s a list of key tools you’ll need.

  1. Docker

    Docker is a platform that has gained wide acceptance for containerization. It greatly simplifies the process of managing and deploying applications in containers, making it a vital tool for any developer.

  1. Burp Suite

    Burp Suite is a formidable tool in the realm of web application security testing. It offers a wide array of features, suitable for both manual and automated testing. It plays a vital role in intercepting and analyzing HTTP requests and responses, making it indispensable for security testing.


  1. Postman

    Postman has garnered popularity as a highly effective tool for testing APIs. It provides an intuitive user interface that allows you to easily send HTTP requests and closely examine the responses you receive. You have the option to use either the desktop application or the web version, depending on your preference.


Postman and Burp Suite are both popular tools used for API testing, but they serve different purposes:

Combining Postman and Burp Suite in this guide can be beneficial for the following reasons:

  1. Postman can be used to create and execute API requests, while Burp Suite can intercept and analyze the traffic to identify potential security issues.

  2. Burp Suite can be used to test APIs for vulnerabilities like injection flaws, broken authentication, and security misconfigurations, which are covered in the OWASP API Security Top 10.

  3. Using both tools together provides a more comprehensive approach to API testing, leveraging the strengths of each tool.

Docker is chosen as the containerization tool in this guide for several reasons:

  1. Docker is the most popular and widely-used containerization platform, with a large and active community.

  2. Docker provides a consistent and reproducible environment for running applications, making it easier to set up and deploy the vAPI application.

  3. Docker simplifies the management of dependencies and ensures that the application runs consistently across different environments.

In addition to Docker, this guide will also use Docker Compose to define and manage the multi-container application. Docker Compose allows you to define the services, networks, and volumes required for the application in a single configuration file, making it easier to set up and manage the environment.


Setting Up Vulnerable-API

We can setup Vulnerable-API manually by installing directly on our system or use Docker to run a conterized app of the vulnerable-API. Using docker helps isolate the application from our host system.
in this Exercise we are going to use Docker we assume Docker is already installed.

  1. Clone the Vulnerable-API Repository
    First, clone the Vulnerable-API repository from GitHub to your local machine:

  2. Set Up the Docker image using the Build command

Run the following command

so now we have our environment set up lets see how we can possibly exploit some of the Vulnerabilities in the app such as:

1. Data Exposure by Logic Issues

Endpoint: /accounts/

Steps to Exploit:

Log in as a legitimate user to get a valid JWT token (see the data folder to get user).

Obtain JWT Token:

Use the token to access the /accounts/ endpoint.

Access /accounts/ Endpoint:

From the previous screenshot we can see that modifying the with the usename parameter and another username does not expose any data as seen from the above screenshot. so we can conclude that this app is not vulnerable to Data Exposure by Logic issues

2. SQL Injection Attack

To test the application with sqlmap we provide a target url with a customised query parameter
sqlmap --url "http://localhost:8000/bank_codes?code=1"

after executing the command with the GET parameter code we discover that it is injectable hence suitable for our task. the DBMS found is SQLite as seen above.To get all the database content we will make a database dump as shown below using.

sqlmap --url "http://localhost:8000/bank_codes?code=1" --dump


With all this we have been able to get details about the application database entries through sql injection. This demontrate that the application is vulnerable to SQL Injection Attacks

3. FIle Inclusion/Path Traversal

This vulnerability allows an attacker to access files or directories that are outside the web server’s root directory. Attackers can manipulate file paths to access unauthorized files.

Steps to exploit

Get JWT Token: (As shown in Attack 1)

Send Malicious Payload:

4. Server Side Template Injection

Server Side Template Injection (SSTI) is a serious vulnerability that occurs when an application allows user input to directly control or influence templates on the server-side. This can lead to arbitrary code execution and compromise the security of the application.

What is SSTI?

SSTI occurs when user-controllable data (typically via HTTP parameters or user inputs) is embedded within a template context on the server-side.
Templates are often used in web applications for rendering dynamic content, such as HTML pages, emails, or other text-based formats.

Steps to Exploit:

Inject Malicious Template: Make a GET request to the greeter endpoint with the following:

After sending the request the server responds with a Hello {{ ‘<script>alert(“XSS”)</script>’ }} demonstrating that the injection was successful

Impact of SSTI:

5. Dumping In-Memory Data

The “Dumping In-Memory Data” attack refers to the exploitation of vulnerabilities that allow an attacker to access and extract sensitive data directly from a web application’s memory space. This can be particularly damaging because the data stored in memory often includes session tokens, plaintext passwords, API keys, and other sensitive information used during the application’s runtime

Exploiting Dumping In-Memory Data

1. Identify Endpoints

Endpoints: /vulnapi/inmemory/usersdb
            /vulnapi/inmemory/accounts

These endpoints are designed to dump sensitive in-memory data, allowing unauthorized access to user and account information.

2. Steps to Exploit

The successful exploition of the vulnerabilities in our intentionally vulnerable API can be significant and illustrates the potential risks associated with poor application security practices. some key impacts include:

Data Exposure:

Sensitive Information Leakage: Attackers can access usernames, email addresses, hashed passwords, plaintext passwords, and other personal details of users. This information can be exploited for identity theft, unauthorized access, or phishing attacks.

Conclusion

The successful exploitation of the vulnerabilities in our intentionally vulnerable API illustrates the potential risks associated with poor application security practices. Key impacts include data exposure, identity theft, unauthorized access, and more. Following best practices in application security is essential to protect sensitive information and maintain the integrity of web applications.